Earlier this month TUAW reported that iOS 6 had obtained FIPS 140-2 certification, "opening the door to more government use." It didn't take long for that door to swing wide open, as the Pentagon has now officially approved iPhones and iPads running a version of iOS 6 for use on secure government networks.

Two weeks ago, Samsung devices running the Knox security layer and BlackBerry devices including the BlackBerry 10 smartphones and PlayBook tablets were given the nod by the US military. Adding Apple's iOS devices to the mix was part of the platform-agnostic plans of the Pentagon revealed in February. Those plans detailed adding wireless voice, video and data capabilities for classified and unclassified communications by October 2013. The approved devices will begin to be used more widely in the military and intelligence communities late in 2013 or in early 2014.

iPhones and iPads already have a home in some parts of the government that don't require such strict security, but the new Pentagon certification should make for more widespread adoption of iOS.

[via AppleInsider]

US Pentagon grants security clearance to iPad, iPhone originally appeared on TUAW - The Unofficial Apple Weblog on Fri, 17 May 2013 16:00:00 EST. Please see our terms for use of feeds.

US Pentagon grants security clearance to iPad, iPhone originally appeared on TUAW - The Unofficial Apple Weblog on Fri, 17 May 2013 16:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

The next time you wish to hack into a Mac, it may help to grab your wand and book of spells. At the NoSuchCon security conference this week, security architect Alex Ionescu presented a talk where he revealed that special undocumented code on a Mac's SMC (system management controller) can be invoked by entering a secret spell used in J.K. Rowling's Harry Potter series.

That spell is "SpecialisRevelio," the words used by a wizard to "reveal charms and hexes that have been cast onto a target" or "reveal the ingredients of a potion." In an Ars Technica post about the secret spell, blogger Dan Goodin notes, "While most details are far too technical for this article, the gist of the research is that the SMC is a chip that very few people can read, but just about anyone with rudimentary technical skills can 'flash' update."

One of the possible attacks that Ionescu pointed out is infecting the SMC with code to pull out the FileVault key used to encrypt a Mac drive, although to implement this, an attacker would have to know details of the Mac like the model, year and screen size in advance.

Much more likely attacks provided by the spell backdoor include marking targets. The SMC could be programmed to emit audible or visual alerts through the fans or LED displays, which could point out a specific Mac to an attacker. A Mac could even be programmed to turn off at a certain time and refuse to boot again.

There's good news in all of this scary talk: to reflash the firmware an attacker has to have physical access to the Mac. Ionescu also reported that many of the SMC security holes were plugged in OS X Mountain Lion. A full copy of the presentation can be downloaded here (PDF file).

Your Mac's connection to Harry Potter originally appeared on TUAW - The Unofficial Apple Weblog on Fri, 17 May 2013 15:00:00 EST. Please see our terms for use of feeds.

Your Mac's connection to Harry Potter originally appeared on TUAW - The Unofficial Apple Weblog on Fri, 17 May 2013 15:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

I know, it's weird to see a sneak peek of the talkcast, but this week it's a Very Special Talkcast. We'll be chatting with the Dolly Drive folks about backups and cloud syncing and what it all means for users and their data.

You may have noticed a couple of our staffers have been known to bang the backup drum, and that's because it's super important to make sure you have another copy of your data someplace. It's our way of looking out for you, the technological equivalent of reminding you to put your coat on before you leave the house.

I'd go on more, but the Dolly Drive Blog has a very nice writeup themselves, and I don't have a lot to add to it except that you should join us Sunday evening (7pm Pacific/10pm Eastern) for the live show. We will be discussing backups and clouds and syncs. A lot of ins, a lot of outs, a lot of what have yous...

Here's the bit I can tell you about the Talkcast: Dolly Drive has graciously agreed to give away permanent free accounts to some listeners! "But Kelly!", you may be saying, "I'm not listening NOW, I'm reading!" Excellent point, Dear Reader. Knowing full well that the W in our name is for Weblog, not Webcast, Dolly Drive has also reserved two permanent 50 GB Lifetime accounts to give away to our fabulous readers! We will inform the winners on Sunday evening, after 9pm Pacific/Midnight Eastern, along with the winners of our talkcast giveaways. As with all the things we give away on the site, we have a few rules that we have to point out, so here's the fine print:

• Open to legal US residents of the 50 United States, the District of Columbia and Canada (excluding Quebec) who are 18 and older.
• To enter, fill out the form below completely and click or tap the Submit button.
• The entry must be made before April 7, 2013 11:59PM Eastern Daylight Time.
• You may enter only once.
• Two winners will be selected and each will receive a permanent lifetime 50 GB Dolly Drive account valued at $42USD/yr
• Click Here for complete Official Rules.

Talkcast preview: Dolly Drive and backups and Kelly and...you? originally appeared on TUAW - The Unofficial Apple Weblog on Fri, 05 Apr 2013 20:00:00 EST. Please see our terms for use of feeds.

Talkcast preview: Dolly Drive and backups and Kelly and...you? originally appeared on TUAW - The Unofficial Apple Weblog on Fri, 05 Apr 2013 20:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

According to a report on 9to5 Mac, Apple has begun training support personnel in advance of rolling out two-step authentication for iCloud and Apple ID. This is a significant step towards enhanced security for Apple accounts as it requires both a trusted device and an extra security code in addition to a password. Other cloud providers currently providing two-step authentication include Dropbox and Google.

Apple's relatively weak security for its online services came under the spotlight last year when tech writer Mat Honan suffered a hack attack that compromised his iCloud account. It appears that 9to5 Mac may have jumped the gun in terms of posting this information, as the My Apple ID website referenced heavily in their post displays placeholders instead of actual text and links (see image at the top of this post).

The way the system will work is that whenever you log in to manage your Apple ID on My Apple ID or make a purchase via iTunes, the App Store or iBookstore from a new device, you'll be asked to enter your password and a four-digit verification code. Without entering both the password and verification code correctly, account access is denied.

'

Apple will also provide a 14-digit Recovery Key that they recommend printing and keeping in a safe place. This allows Apple ID users to regain access to their accounts if they lose their devices or forget their password. One other good feature -- you'll no longer need to create or remember any security questions.

Two-step verification will initially be available in the US, UK, Australia, New Zealand and Ireland, with additional countries added over time.

Apple on the verge of rolling out two-step verification for iCloud, Apple ID originally appeared on TUAW - The Unofficial Apple Weblog on Thu, 21 Mar 2013 15:30:00 EST. Please see our terms for use of feeds.

Apple on the verge of rolling out two-step verification for iCloud, Apple ID originally appeared on TUAW - The Unofficial Apple Weblog on Thu, 21 Mar 2013 15:30:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

Apple has released Java for OS X 2013-002 1.0 today. You can install the update for OS X 10.7 and later by launching the Mac App Store and clicking the Updates icon, or download the update directly here.

According to the update notes,

"This release updates the Apple-provided system Java SE 6 to version 1.6.0_43 and is for OS X versions 10.7 or later.

This update uninstalls the Apple-provided Java applet plug-in from all web browsers. To use applets on a web page, click on the region labeled "Missing plug-in" to go download the latest version of the Java applet plug-in from Oracle.

This update also removes the Java Preferences application, which is no longer required to configure applet settings."

This update is Apple's response to recent Java vulnerabilities, one of which directly affected employees at 1 Infinite Loop.

Software Update: Java for OS X 2013-002 1.0 originally appeared on TUAW - The Unofficial Apple Weblog on Mon, 04 Mar 2013 17:25:00 EST. Please see our terms for use of feeds.

Software Update: Java for OS X 2013-002 1.0 originally appeared on TUAW - The Unofficial Apple Weblog on Mon, 04 Mar 2013 17:25:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

Let's pessimistically assume that at some point each of your online service accounts will be attacked, either by malware on your machine or by hackers at the home office. The unfortunate but unavoidable consequence of these breaches is that you have to work extra-hard to isolate those services, so a problem in one corner won't break down the rest of the fortress.

Unique passwords, a throwaway reset email account and false security answers: we'll talk about those techniques and more tonight on the security-conscious Talkcast. Bring your questions and your answers, and we'll see where the line between reasonable security and outright paranoia might be.

To participate live during the show, you can use the browser-only Talkshoe client, the embedded Facebook app, or download the classic TalkShoe Pro Java client; however, the best way to have your voice heard is to call in.

For the web UI, just click the Talkshoe Web button on our profile page at 4 HI/7 PDT/10 pm EDT Sunday. To call in on regular phone or VoIP lines (viva free weekend minutes!): dial (724) 444-7444 and enter our talkcast ID, 45077 -- during the call, you can request to talk by keying in *8.

If you've got a headset or microphone handy on your Mac, you can connect via the free X-Lite or other SIP clients (aside from Skype or Google Voice), basic instructions are here. Talk to you tonight!

Talkcast tonight, 10pm ET/7pm PT: Scattered passwords, like the corners of my cloud originally appeared on TUAW - The Unofficial Apple Weblog on Sun, 03 Mar 2013 20:05:00 EST. Please see our terms for use of feeds.

Talkcast tonight, 10pm ET/7pm PT: Scattered passwords, like the corners of my cloud originally appeared on TUAW - The Unofficial Apple Weblog on Sun, 03 Mar 2013 20:05:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

The drumbeat of corporate security issues pounds on, with hybrid cloud/local notekeeping service Evernote reporting this weekend that its internal security team "discovered and blocked suspicious activity" aimed at sensitive areas of Evernote's service. Although neither billing information nor actual client notes were exposed in this breach, Evernote does acknowledge that some user account information -- usernames, email addresses and encrypted passwords -- was accessed.

While none of the user passwords were stored in the clear, the fact that they may be in the hands of hackers (along with the corresponding user credentials) led Evernote to force a password reset for all its millions of users. If you've gotten a password reset notice from Evernote, it's almost certainly legitimate, but in the interest of proper procedure you should not click the login link in the email. Open a trusted browser (these days, that means one with Java applets disabled) and type in "www.evernote.com" directly to reset your login credentials. If you need help generating and storing a strong password, our guide to password creation is here for you.

As more and more cloud services are subject to attacks that target user login details, it's become overwhelmingly clear that just having a strong password isn't enough; if you reused your Evernote password on any other service (especially your email account), you have a potentially serious problem. Managing unique passwords for scores or hundreds of accounts is no picnic, but utilities like 1Password or LastPass can make it easier to find and change your re-used passwords.

Evernote forces password reset after "suspicious activity" originally appeared on TUAW - The Unofficial Apple Weblog on Sun, 03 Mar 2013 17:00:00 EST. Please see our terms for use of feeds.

Evernote forces password reset after "suspicious activity" originally appeared on TUAW - The Unofficial Apple Weblog on Sun, 03 Mar 2013 17:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

Just over a week after a flaw was discovered in iOS 6.1 that grants unauthorized access to passcode-protected devices, a new exploit has surfaced that opens up user data to prying eyes even further. Threatpost reports that the newly discovered vulnerability lets unscrupulous folks connect an iOS device via USB and transfer data -- including photos -- to a computer without needing to enter a passcode.

Apple has publicly confirmed that it intends to fix the passcode security issue that surfaced earlier this month in a forthcoming iOS release, likely 6.1.3. It's not clear if the company is aware of this second flaw or if a fix for it is also inbound. Since this new exploit is based off of the earlier one, it's possible that Apple will be able to kill two data-harvesting birds with one stone.

[Via MacRumors]

Another passcode bypass flaw found in iOS 6.1 originally appeared on TUAW - The Unofficial Apple Weblog on Mon, 25 Feb 2013 20:30:00 EST. Please see our terms for use of feeds.

Another passcode bypass flaw found in iOS 6.1 originally appeared on TUAW - The Unofficial Apple Weblog on Mon, 25 Feb 2013 20:30:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

In a statement the company made to The Loop, Apple said that the malware infected the systems through a vulnerability in the Java browser plug-in. "The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network. There is no evidence that any data left Apple. We are working closely with law enforcement to find the source of the malware."

Macs with OS X Lion and Mountain Lion installed ship without Java, and OS X currently disables Java if it is unused for 35 days. Apple will release an updated Java malware removal tool today that will check Mac systems and remove this particular malware if it is found.

Apple targeted by hackers originally appeared on TUAW - The Unofficial Apple Weblog on Tue, 19 Feb 2013 14:00:00 EST. Please see our terms for use of feeds.

Apple targeted by hackers originally appeared on TUAW - The Unofficial Apple Weblog on Tue, 19 Feb 2013 14:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

Another week, another Java exploit: Computerworld notes that Oracle has once again updated the Java VM for all platforms to fend off a prospective exploit. The update is technically the scheduled February critical updates release, but the delivery was pushed up.

Unfortunately, while Mac users on OS X 10.7 Lion and 10.8 Mountain Lion can upgrade their JVMs using Oracle's installer for Java 7, Snow Leopard (10.6.8) machines are out of luck. Oracle's Java 7 installer won't run, and as of yesterday Apple's supplied Java 6 is blocked by Apple's own XProtect malware shield -- it won't do applets in Safari or Firefox until it's patched.

There are some hacky workarounds for either disabling/modifying the XProtect manifest (not recommended) or getting Java 7 to install on 10.6.8 (also not recommended) -- but if you need to run Java in the browser on 10.6.8, there aren't many better options.

Speaking of recommendations, TJ's Reasonable Guide to Java security is a good resource for managing your risks with Oracle's runtime

Thanks, Charles!

Java patched again, Snow Leopard users blocked from older version (Updated) originally appeared on TUAW - The Unofficial Apple Weblog on Fri, 01 Feb 2013 20:30:00 EST. Please see our terms for use of feeds.

Java patched again, Snow Leopard users blocked from older version (Updated) originally appeared on TUAW - The Unofficial Apple Weblog on Fri, 01 Feb 2013 20:30:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

The delicate dance of independence, safety and personal boundaries between anxious parents and digital-generation kids is always tricky. Some apps and device usages are A-OK, some are a highly concentrated essence of bad choices (looking at you, Snapchat) -- but most fall into a gray area, subject to negotiation. Some parents may choose to know as much as possible about what their kids are doing online, and in turn they want their kids to know that they know.

MobileKids, the parent / child paired app launching in the US today, aims to replace uncertainty with information whenever possible; the goal, according to development house Bipper, is to bring back the transparency of kid tech usage that we had before mobile took over. "We aim to help parents define limits for a mobile generation much like parents did in previous generations when the only phone in the household was a landline attached to a wall," says founder and Norwegian mom Silje Vallestad, who was moved to launch the company when she noticed her daughter's friends using cellphones... at the ripe age of 6 years old.

The child app (only available for Symbian and Android at the moment, with a limited iOS client coming soon) delivers usage reports for the kid phone directly to the adult phone. Bipper previously offered a SIM-based parental reporting tool in Europe, but now focuses completely on apps (including the adult SOS app bSafe).

The platform-independent parent app can monitor kid device usage, check location (much like Find My Friends), set time controls or other usage thresholds, and in future versions will include geofencing alerts on the kid phone location. The parent app runs on both iPhone and Android, plus a web portal.

Full-on iOS households, however, aren't going to derive the maximum benefit from MobileSafe. As mentioned, right now there's no kid app for iOS at all; when it does arrive later this quarter, it won't be able to do the detailed monitoring that the Android and Symbian versions can deliver. It will, however, keep most of the location features and the Safety Alarm / SOS alert that kids can trigger to notify guardians of their location. Of course, it's possible that even iPhone-loving parents might choose a different device for their kids, and in that case the MobileKids pair may work well.

The MobileKids app has already launched in the Norwegian App Store, and now US customers will be able to give it a try. The SOS alarm and basic features are all free to use; the advanced reporting features (most of which are not applicable if the child uses an iPhone) require a subscription plan at US$5.90/month or $59.90 per year.

Parent iPhones can track kids' non-iPhones with MobileKids originally appeared on TUAW - The Unofficial Apple Weblog on Thu, 24 Jan 2013 09:00:00 EST. Please see our terms for use of feeds.

Parent iPhones can track kids' non-iPhones with MobileKids originally appeared on TUAW - The Unofficial Apple Weblog on Thu, 24 Jan 2013 09:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

Oracle has released an official fix for the Java security flaw that was reported by CERT (the Computer Emergency Readiness Team) on January 11. Shortly after the flagging by CERT, Apple took steps to disable the Java plug-in on all Macs running OS X 10.6 or later by amending the XProtect malware/minimum versions file.

Users who want to re-enable a secure, working version of Java can download the update here. The update is recommended for users on all operating systems including Windows and Linux. Of course, if you don't need to be running a Java VM for a specific reason, your most secure path is to not have it installed.

At a minimum, you might consider TJ's reasonable advice and reserve your browser-centric Java activities to a single-site browser like Fluid.app, or simply leave Java disabled for browser access most of the time and only turn it on when specifically required.

From the release notes, Oracle states: "Due to the severity of these vulnerabilities, the public disclosure of technical details and the reported exploitation of CVE-2013-0422 'in the wild,' Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible."

Apple no longer distributes its own version of Java for Macs running OS X 10.7 or higher. Oracle is now directly responsible for producing and updating the Mac JRE package, as it does for other mainstream operating systems.

Oracle releases v11 fix for zero-day Java security flaw originally appeared on TUAW - The Unofficial Apple Weblog on Mon, 14 Jan 2013 09:00:00 EST. Please see our terms for use of feeds.

Oracle releases v11 fix for zero-day Java security flaw originally appeared on TUAW - The Unofficial Apple Weblog on Mon, 14 Jan 2013 09:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

Update: According to The Mac Observer, Apple has acted proactively to block the Java browser plug-in on Mac machines with OS X 10.6 Snow Leopard or higher. If you are running an earlier version of OS X, then you should disable Java as noted below.

Update 2: In a remarkably speedy turnaround, Oracle has released a patched Java VM (release 11, listed as b21 internally) that closes this particular hole. Users who need Java installed are urged to update ASAP. You may have to update manually; Mike Rose reports that the auto-update feature on his machine ended up crashing the Java control panel.

A Java security flaw has been reported by CERT (the Computer Emergency Readiness Team). TheNextWeb has a good write-up of the background of the exploit's discovery.

Here's the bad news: there is no "fix" for the bug yet. Here's the worse news: it is believed that malicious sites on the web are already aware of this security hole, and are trying to exploit it.

Is your Mac at risk? Maybe. It is possible that your Mac does not even have Java installed. Apple stopped including Java by default with Lion. However, if you have run into any websites or software that needs Java, it may have prompted you to install it.

So what should you do? Well, here are some options:

1. Stop using the Internet and go live in a yurt.
2. Disable Java
3. Uninstall Java
4. Ignore it and hope that everything will be OK.

Hopefully you guessed that options 1 & 4 are the "Not Good" options, so that leaves us with two choices: Disable or Uninstall?

Here's my suggestion: if you are on Mac OS X 10.7 or 10.8 (Lion or Mountain Lion) have Java installed and you're not just one of those people who goes around installing things willy-nilly, my guess is that you have (or had) some software program that relies on Java. If you uninstall it, something might break and you might not be able to figure out why.

However, if you disable Java in whichever browser(s) you use regularly, you can continue to use your web browser without worrying about this exploit. If you find a website that uses Java, you can turn it on, do what you need to do, and then turn it off again.

Safari Users: you can easily disable Java by going to Safari's Preferences, then choose the Security tab, and uncheck the appropriate box:

Google Chrome users need to go to chrome://plugins

Firefox users: Go to the "Tools" menu, then "Add-ons" (or ⌘ + Shift + A) and choose the "Plugins" tab. Then click the 'disable' button next to Java Applet Plug-in.

"But I need Java for these sites I use every day!"

OK, so that's the reasonable response that I think will work for most people, but if you happen to be one of the people who needs to use Java every day for a specific set of websites all is not lost.

In fact, there's a very easy solution called Fluid.app. This one might seem a little nerdy, but once you set it up, it's quite easy.

We've mentioned Fluid.app on TUAW in the past and it's one of my favorite tools. With Fluid.app you can make a "standalone" web browser with its own set of preferences, including Java. You can find these settings in your Fluid.app browser under 'Settings':

But wait! he said in his best made-for-TV voice There's more!

Fluid.app will also let you say exactly which websites (domains, URLs, etc) that you want to use with that browser. Go to the "Whitelist" preferences and enter the domains, like this:

Now that the rule that I have will allow me to visit any URL that includes www.google.com. You can add more sites using the + at the bottom of the window.

Add all of your known and trusted sites which use Java. If you come across a link to a different site, it will automatically send you over to your regular browser (where you have disabled Java). Using this system you can have the security of having Java disabled, but still have the convenience of being able to use it on sites that you trust.

A reasonable response to Java security problems (Updated) originally appeared on TUAW - The Unofficial Apple Weblog on Fri, 11 Jan 2013 08:30:00 EST. Please see our terms for use of feeds.

A reasonable response to Java security problems (Updated) originally appeared on TUAW - The Unofficial Apple Weblog on Fri, 11 Jan 2013 08:30:00 EST. Please see our terms for use of feeds.

Permalink | Email this | Comments

"How do I protect my Mac online? Should I run any 'security' applications on my Mac?"

That question arrived several weeks ago via the contact form here at TUAW, and I have been trying to come up with a reasonable answer to it ever since.

That question, or a variation of it, comes fairly regularly. Usually the person asking it has switched from Windows to Mac, and has brought with them an expectation that they should run some sort of anti-virus, anti-spyware, anti-malware programs.

It's easy to be glib and say that the only really safe computer is one that is turned off and locked away.

Conventional wisdom would have you believe that Mac users don't care about security, or think they are immune to security problems. That is a myth for everyone except Artie MacStrawman.

On the other side, you have tech pundits who have been predicting the "downfall" of Mac security since 2004, and every time there is even the slightest bit of security news, there are plenty who want to jump and point and say "See! We told you Macs were no better than Windows!" Many of those articles and much of the hype about protecting your Mac comes from companies which also happen to sell you protection against these potential harms.

The argument generally goes like this: "It is inevitable that Mac OS X will eventually have problems like Windows has, so you should buy one of our programs to protect yourself for when that inevitable day arrives."

Ironically, one of the biggest security problems that Mac OS X has faced was the Flashback Trojan in April 2012, and none of the Mac anti-virus companies made much of a big deal about it at the time because none of them caught it before it was already identified as a problem.

So What Is a Reasonable Person Supposed to Do?

I have spent some time gathering information on what I believe are reasonable steps which will allow you to continue to use your Mac on a regular basis, and which will also protect you in case something does happen of any sort of "malware" whether that is a trojan horse, a virus, spyware, or any such thing.

This advice comes to you from a neutral party. I do not have any financial stake in selling you software or services, nor do I believe the myth of the impenetrable computer, no matter what operating system you use.

You will notice that many of the suggestions that I make are not specifically about protecting yourself from malware, in fact, a lot of it would apply if all you were worried about was what might happen if your computer was ever lost, stolen, or destroyed in a fire or other disaster.

(Oh, and one last bit of prologue: while I did decide to number these so they could be easily referred to, I did not try to come up with a certain number of steps that you should take.)

Step 1) Make Backups: Use Time Machine.

Telling people to make backups is like telling people to eat better and get more exercise. Almost everyone knows that they should do it, almost everyone believes that they should do it, but far too many people still don't do it.

But if you ignore everything else I say, please listen to this: Make backups.

There's really no excuse not to make backups on your Mac. Every Mac comes with Time Machine, a built-in backup solution which is as easy as buying a second hard drive and plugging it into your Mac. Time Machine will prompt you to start using it, and will automatically keep things backed up.

Using Time Machine is like wearing your seat belt in a car. Just do it, no excuses.

Step 2) Make Backups: A Bootable Clone.

Time Machine is great, but don't stop there. If you really want to be safe, you should have a clone if your hard drive. A clone is an exact copy of your drive which you can use to boot your computer in case the hard drive dies. You can make one of these using Disk Utility, but I suggest SuperDuper or Carbon Copy Cloner.

Using Time Machine and bootable clone is like wearing your seat belt and having insurance. It's just a good idea.

Extra Credit: If your house or apartment burned down tomorrow while you were away, would it take out your computer and your backup? What if someone broke it and stole your computer and backup drive? For these reasons, people often suggest having an off-site backup. There are several ways you can do this.

The simplest path to offsite backup is making two clones of your drive, and bringing one somewhere like your office or a friend's house. OS X 10.8 Mountain Lion also makes it easier to alternate drives for Time Machine, allowing you to rotate drives in and out at will. Either way, you'd have a copy of your data locally and one someplace else.

But both of those approaches require you to update those backups periodically and physically move the drives around. A more hands-off solution would be something like BackBlaze or CrashPlan or Mozy or Carbonite or JungleDisk or another app that does real-time, off-site backups. CrashPlan actually allows you to "buddy up" with a friend or family member who has a high-speed Internet connection; you back up to a spare drive at their house, and they can do the same at your place.

Step 3) Use Dropbox for your most important files.

Dropbox isn't a backup system per se, but it does have a few things to offer that can be quite helpful when dealing with computer security.

The first is that as soon as you save a document to your Dropbox folder (or any of its sub-folders) it is immediately copied to the Dropbox website. That means that in a matter of seconds, there is an off-site backup copy. If you are working on a file at 10:15 a.m. and spill your coffee on your laptop at 10:20 a.m. Dropbox is the best chance you have of getting an up-to-date copy of that file.

Likewise, if some sort of a security breach affected your computer and corrupted or deleted your files, Dropbox can help here too. First of all, Dropbox keeps all revisions of a file going back 30 days. Using the Dropbox web interface, you can go back and compare versions, and find the last safe, clean copy of an infected file. Dropbox will also let you restore files which have been deleted in the past 30 days as well. (There's an add-on service called pack-rat which will let you recover files beyond 30 days -- indefinitely, in fact.)

File corruption can be a much more difficult problem to solve than file deletion. Being able to easily compare versions is a significant feature. Apple's Time Machine can do that as well, but by default it only runs once per hour, and a file you are actively working on may have been changed many times during that hour.

Dropbox and Security: Some people might object to recommending Dropbox as a security feature because what you are doing is copying a file to a 3rd party where it could (theoretically) be compromised by a security leak at Dropbox. To me, it comes down to a matter of trade-offs. First of all, I don't have anything that would quality as "state secrets" in my Dropbox. My most important confidential information is stored in 1Password, which is encrypted on disk before being sent to Dropbox and is protected by what I consider to be a very secure master password (based on the information I learned by reading Toward Better Master Passwords and Better Master Passwords: The geek edition).

Secondly, I consider accidental deletion or data corruption (or a hard drive crash) as much more likely than someone breaking into Dropbox to get at my files. Dropbox works for me because I don't have to think about it, it just runs, automatically, all of the time, on all of my computers.

A reasonable person might decide to encrypt sensitive files locally before saving them to Dropbox. (You can do this for free with Disk Utility and an encrypted disk image, or use something like Knox.) You can also achieve similar sync-to-the-cloud results with Google Drive, SkyDrive, SugarSync or Dolly Drive.

Step 4) Be Careful Where You Get Your Software.

Now we are moving beyond the realm of backups and multiple copies of files and getting into computer security from malware.

The most likely way that some sort of malware will get installed on your computer is by someone (or you) installing it, thinking that they are installing something else. If I can write a program and convince you to run it and enter your password when prompted, I can do pretty much anything to your computer.

If you find a program through BitTorrent which claims to be some high-end software for OS X that you want but don't want to buy (or can't afford), you might be tempted to download and install it. You might tell yourself that you aren't going to use it often enough to justify buying it, or maybe you want to try it out before you decide to buy it. Whatever the reason, the problem is that you don't really know what you're installing. It might be a "safe" version of a cracked program, or it might be a program that will also install some other kind of malware on your computer alongside of the program that you think you are getting.

Once you start installing software from an untrustworthy source, you're setting yourself up for trouble. So what is a reasonable person to do?

Use the Mac App Store Apple promotes the Mac App Store as a safe place to buy and install software. Many applications are available for free, and overall the price of software these days is incredibly low for what you get. While no system is 100% foolproof, the odds of downloading some sort of malware from the Mac App Store are extremely remote.

Use trusted third-party software. The downside to the Mac App Store is that Apple has placed so many restrictions on what apps can do, that many excellent, useful, trustworthy applications just are not available on the Mac App Store. I download and install third-party software all of the time, and I do so with confidence because I take what I consider to be reasonable precautions.

Starting in OS X 10.8 (Mountain Lion), Apple introduced Gatekeeper which is designed to be another layer of protection against malware. By default, Gatekeeper will only allow you to run applications from the Mac App Store or from "identified developers" who have paid US$100 for a developer license and cryptographically signed their software to make sure that it hasn't been tampered with. Macworld has a good article explaining what Gatekeeper is and isn't. It is possible for a malicious developer to develop a malicious program, sign up for Apple's developer program and distribute that program on their website. However, the chances of that seem relatively slim.

What is much more likely is that you might find a piece of software that you want to run, and see a warning that it is from an unknown developer. You might choose to open it anyway. This is where things start to get more difficult because there are legitimate apps out there which are made by legitimate developers who have not cryptographically signed their software. It may be that the software is a few years old and was developed before Gatekeeper was introduced. It may be that the developer made the app in his/her spare time and didn't feel like paying Apple for a developer certificate.

A reasonable person has to weigh the potential consequences and likelihood of this application being some sort of malware. Has the app been reviewed by a reputable Mac-related website? Is it a well-known app? Be careful of any software which arrives via email or on some random tucked-away page on a web forum, etc.

Step 5) Read first, install last.

Perhaps the most important thing you can do to protect yourself is to stay up-to-date on Mac news. A story about an actual Mac malware problem is going to be very widely-reported.

This does not mean that you need to refresh your browser or RSS feeds every 15 minutes, or that you need to read every Mac-related site out there. But take a quick glance through the headlines each day to stay informed. This goes along with checking for reviews of software that you are considering installing. Or try a simple search for the application and look for reviews from sites you've heard of before, like TUAW.

As a corollary to that point: don't be the first one to try every new app that comes out. Let tech writers risk their computers. If you find something brand new, bookmark it and make yourself some reminder to check it out in a day or two. 999,999 times out of 1,000,000 it's going to be just fine, but Not Being First might be your best chance of not being that unlucky "one in the million."

Do You Need Anti-Malware Software for Mac today?

My answer is no. Is it possible that at some point in the future, Mac OS X users will need to run real-time anti-virus and/or anti-spyware software? Yes. It is likely? No. Mac security software has not shown itself capable of catching new attacks in real-time, and there are not many attacks to be protected against.

If you insist on running anti-malware software for Mac, try either ClamXav or Sophos. Pick one but not both. Running two of these kinds of programs will cause far more problems than either one will solve.

Just remember, whenever you read a claim that Mac malware is either an unavoidable inevitability (or a current reality), check to see if the person who wrote the article sells Mac security software.

Use the tools Apple provides.

Apple gained a reputation for not being overly concerned with security, but that seems to be slowly changing. They have published a page of security features in Mac OS X 10.8 called Safety. Built right in.

There are several built-in features that you can control as well:

• Mac OS X has a firewall built-in. Go to System Preferences » Security & Privacy and see if it is enabled. (Your router may also have a firewall built-in.)

• While you are in System Preferences, look under "Sharing" and turn off anything that doesn't need to be on.

Safer Safari

There are several changes that you can make to Safari to make it safer.

First, go to Preferences » General and uncheck the box next to "Open 'Safe' files after downloading."

You may remember that browser security has most often been compromised through Adobe Flash, such that a security contest winner gave this advice: "The main thing is not to install Flash!".

Java was also a recent security hole on OS X. It is possible to disable both Plugins and Java by going into the Safari Security Preferences, and unchecking the boxes shown here:

I don't find myself needing Java in Safari all that often, so I find it simple to disable that altogether. I also regularly disable plugins, but I'm not sure I would go so far as to say that is a reasonable step for most people. Many would probably find it frustrating and annoying.

Instead, I would encourage you to consider using the ClickToPlugin & ClickToFlash Safari extensions which will prevent plugins from running automatically but which let you run them when you want. That seems to be a much more reasonable and balanced approach.

A Reasonable Protection

If you made it to the end, I have a bonus suggestion which I think offers the best balance between practicality and security in protecting yourself from future malware threats.

To understand how this tool works, you have to understand the system that Apple uses to launch programs (either visible apps or background daemons) whenever you reboot your computer and/or log into your computer.

For example, when I log in, several applications start right away. I can see some of these by going to System Preferences » Users & Groups and then selecting my user account and 'Login Items' as shown here:

But those are only some of the applications and daemons that run automatically. OS X has several different folders which can be used to auto-launch programs via the launchd system:

1. ~/Library/LaunchAgents
2. /Library/StartupItems
3. /Library/LaunchAgents
4. /Library/LaunchDaemons
5. /System/Library/LaunchAgents
6. /System/Library/LaunchDaemons
7. /System/Library/StartupItems

I checked those folders on my computer and found there were over 400 entries. That does not concern me at all, because not all of those programs are running, and the ones that are running provide some kind of service or benefit.

However, this is also the most likely place that a piece of malware would try to hide.

What do most people do if their computer starts acting strangely? Chances are good that they will reboot it. So if you were trying to get some kind of malicious software on someone's computer, the first thing you would try to do is make sure that if someone reboots their computer, your software will start up again. In fact, to avoid detection you might not want your program to do anything at first except make sure that it will start up when the computer is rebooted.

Therefore, a good way to protect yourself is to keep an eye on these various auto-launch tools, and be notified whenever something is added to them.

The tricky part is making sure that you don't overreact just because something happens in one of those folders. Chances are good that you had no idea those 400+ things existed, and none of them were malicious. Computers do a lot of good things in the background that we don't want to be constantly bothered with knowing about. Think about this sort of like you think about your basement or storage area in your house: you might have a lot of stuff in there, and you might not even need to care about most of it, but you would want to know if someone put something in your basement without your knowledge.

The folks at CIRCL (Computer Incident Response Center Luxembourg) created a free tool to detect when something has been added to the automatic launch settings for OS X. You can download it at http://www.circl.lu/pub/tr-08/ and it will give you an alert whenever something is added to one of those folders. More detailed information about using that tool is available at MacFixIt.

As long as you remember that this system is detecting all activity not just malicious activity then this could be a very powerful "early warning" tool. Because it is only checking a few, very specific places, it should not add any noticeable performance drain on your computer, unlike many other anti-malware tools. It is not a 100% guarantee of protection, but it is a very good reasonable precaution to make.

Don't Panic, Do Plan

Despite warnings of the "inevitability" of malware on the Mac, the reality has been a very limited sphere of trouble. That doesn't mean that you should ignore the possibility of there ever being problems, but right now there just is not much that I can recommend for proactive protection beyond backups, caution, and common sense.

I have labeled this guide "Version 1.0" because it may need to be updated in the future, but this represent the most reasonable balance, in my opinion, for the reality of today's Mac user.

Version history:
2012/12/01 -- Minor typographical edits. Amended backup section to note multi-volume Time Machine, CrashPlan buddy backup. Amended sync section (Dropbox) to cite other sync vendors.

Securing Your Mac: A Guide for Reasonable People, Version 1.0 originally appeared on TUAW - The Unofficial Apple Weblog on Fri, 30 Nov 2012 23:00:00 EST. Please see our terms for use of feeds.

Securing Your Mac: A Guide for Reasonable People, Version 1.0 originally appeared on TUAW - The Unofficial Apple Weblog on Fri, 30 Nov 2012 23:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

With the rose-hued glasses of nostalgia firmly in place, today's tech-tangled parents may long for a simpler pre-Internet time when kids simply got into fights or stayed out too late, rather than getting tangled up in sexting mishaps or giving out inappropriate personal info on Facebook.

For all technology's hazards, however, it has given moms and dads the opportunity to engage and explore our kids' preferences in media and leisure activities collaboratively with them. When we're enabled by parental controls or app ratings to help our kids make good choices, that's a win. When the rating systems or the restrictions don't encompass an edge case, unfortunately, that's a problem.

Reader Chris A. emailed us to point out a subtle gap in the App Store's rating system when it comes to games and other apps aimed at kids. The example app here is the Avengers Initiative game (US$6.99 and rated 9+ for cartoon violence), but several others exhibit the same potential issue.

In the settings and social content area for Avengers Initiative, there's an option to visit the "Marvel XP" microsite for supplementary content, character profiles, videos and so on. In order to get to the good stuff, you've got to register a Marvel account; in fairness to the company and to Apple, there is an age challenge during registration that requires you to say you're 13 or older in order to sign up. A parent might sign up for a child, however, on the assumption that the web content in Marvel XP would be consistent with the rest of the app.

Here's where it gets dicey: the video content in Marvel XP is hosted on YouTube, so if a young person taps on the Hulk's video introduction the player window that comes up includes the YouTube player bar on the bottom. Guess what happens if you tap the YouTube logo in the bottom right corner? Indeed, the device screen is taken over with the full m.youtube.com interface, including the search button. Funky sexy adult-type videos, here we come!

You can see the steps to reproduce this in the video below (hosted, un-ironically, by YouTube).

Sure, it's an obscure pathway to get to the fun stuff. But this is likely reproducible in most applications with embedded YouTube content, regardless of rating or intended audience. Disabling the YouTube app (pre-iOS 6) doesn't block it, nor would putting restrictions on Safari. It's simply not considered in the ratings matrix.

The good news is, there may be a simple fix for these apps that keeps the video, but without the "let me see the whole world" button. YouTube's "modestbranding" flag, applied to the embed HTML snippet, should permit developers to embed video sans logo & link which may in turn keep the tots from meandering around. If the Ghostbusters and Avengers app teams took this simple step, that would help Chris's peace of mind when it comes to his kids' iPad time. Developers who don't have the correct embedding setup should probably let parents know that the apps they're browsing include a video escape clause.

Another way around the whole problem: game devs, don't host your video content for your sub-17+ apps on YouTube at all. Pony up for a paid account on Viddler or simply run your own streaming server, instead.

Rating apps on content and appropriateness is never going to be a perfect system. Most apps that provide web browser functionality should technically be rated 17+, which has been a point of contention for years now. On some level, that flag makes some sense; there's no way for the iOS restrictions system to control where those apps end up on the big scary Web.

Different families will have different tolerances for exposure to edgy or inappropriate content on YouTube. (I think I hit my limit this weekend when the Harry Potter videogame playthrough chosen by my eight-year-old turned out to include a rather impressive amount of profanity.) But it's harder to have the conversation about what's appropriate or allowed if you don't even know about the library of out-there videos that's hiding in plain sight, right behind the Hulk.

How a kid-friendly app leaks mature content via YouTube originally appeared on TUAW - The Unofficial Apple Weblog on Mon, 19 Nov 2012 14:30:00 EST. Please see our terms for use of feeds.

How a kid-friendly app leaks mature content via YouTube originally appeared on TUAW - The Unofficial Apple Weblog on Mon, 19 Nov 2012 14:30:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

When disaster happens, you want to make sure your data is safe. The reality of Hurricane Sandy demonstrated how important it is to store copies of your most precious records, pictures and correspondences off-site.

If you are a CrashPlan backup customer, the company is making it easier for you to get back up to speed on your replacement computer.

CrashPlan is offering a half-off special to any customer affected by Hurricane Sandy. Their "Restore to your Door" service delivers an encrypted physical hard drive from your cloud-based backups.

Restoring a 200 or 300 GB backup might normally take a week or two. With a hard drive, you can get up and running again in just hours.

"Restore to your Door" normally retails for $125, but is being offered right now for $62.50. As the CrashPlan site explains, "The most important thing after a disaster is to return to normal life as quickly as possible."

Today, I had the opportunity to sit down with Mike Evangelist, Chief Marketing Officer of Code 42 Software to talk about the service, the software and off-site backup in general.

"A lot of people use Time Machine," he told me, "and it's a great thing. But for disaster situations like a hurricane or flood, I'd be willing to bet that 90 percent of the time, the Time Machine drives are sitting right next to the computers they're backing up. That's what cloud backup is all about."

CrashPlan offers an off-site solution that provides hourly or daily backups -- you choose how often to back up and what data to back up. For $50/year for one computer (or $120 for up to 10 computers for a single family), you get infinite capacity stored in a secure location.

Evangelist said, "Backup is a hassle, it's painful like doing your taxes or going to the dentist. We want to make it painless but we also want to make it dependable. And dependability has many aspects."

He points out that most data centers tend to be well-protected with backup power. "That's the beauty of the cloud," he said, adding with some humor, "If our data center were on the Jersey Shore, we might have been in a bind."

CrashPlan is engineered for redundancy. "I think the most important thing is the idea that you always want to have more than one backup," Evangelist said. "CrashPlan tries to make that simple. One of the big features of CrashPlan is that you can select which data you want to back up, and then specify where that data is backed up to."

Its application lets you manage additional destinations like thumb drives and external USB drives as well as a feature that lets you save your backups to a friend's computer -- encrypted of course. It's an easy way to add another level of security by backing up to another trusted destination that's outside your home.

"We're huge advocates of backing up to multiple destinations," Evangelist explained. "Not everyone has gigabyte Ethernet. Restoring from CrashPlan is going to take a long time if you've got a huge backup but if you made a local backup, you can restore much more quickly from that."

CrashPlan offers a wide range of end-user customization, so you can schedule your backups with fine granularity. If you want the app to only back up when your computer is not being used, it can handle that for you.

In the end, backups aren't just about obvious storage issues but what Evangelist calls the "emotional and correct" answers. "People make stuff on their computer all the time -- spreadsheets, documents and accounting. They collect bookmarks. All this stuff is not too valuable, but it's a big drag if you lost it. You need to protect that big collection of stuff.

"These days, when I talk to customers, what I find is that people value the most is their photos. Sure, people have video and music collections, in fact all sorts of things that they collect, and it all has value but universally and broadly, the most valuable data people own is photos.

"In the old days, of photos and negatives, if there were a disaster, there would be a shoebox to grab. Digital photos seem safer, because you can create copies from the computer, and they seem not as vulnerable, but they also tend to be collected in one giant digital pile in one place."

That's a vulnerability many people don't consider.

CrashPlan offers a system of "self-healing" archives on their servers. There's a regular process that tests data checksums to ensure information integrity. When the system encounters any problem, the server contacts the client's computer to re-requests those blocks.

"We try to be a good neighbor to your computer," Evangelist said. "Our backup system is incremental in a very clever way. It looks for which bytes of a file have changed and only sends those changes. And because they send the changed bytes, the amount of data to be stored is very, very small, allowing us to save many old versions. Of course, if you want to be a bandwidth hog, crank it up! You can save as many old versions of the file as you want. Time Machine does incremental backups as well, but Time Machine makes entire copies of the file."

Code 42, the people behind CrashPlan, will be donating 10 percent of all sales through the end of November to the American Red Cross. Now is not just a good time to be re-evaluating your offsite data strategy, but Code 42 is offering an opportunity for you to give a little back to the community as well.

You can also help Sandy relief by donating blood.

Lessons from Sandy: CrashPlan and the importance of off-site backup originally appeared on TUAW - The Unofficial Apple Weblog on Tue, 06 Nov 2012 17:30:00 EST. Please see our terms for use of feeds.

Lessons from Sandy: CrashPlan and the importance of off-site backup originally appeared on TUAW - The Unofficial Apple Weblog on Tue, 06 Nov 2012 17:30:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

On occasion, I see phishing spam in my inbox, just like we all do. These emails usually look fairly realistic, and always have a link to click for me to renew an account or pay a balance -- but since I'm a moderately savvy fellow, I generally avoid falling for them, and you should too.

Well, this morning an email allegedly from Apple told me I need to renew my iCloud account. After making a few screenshots, I deleted the email. Why? It's a phishing attempt, and not even a good one. Here's how to tell it's fake.

At the top of the email, the sender's address is completely wrong. A real Apple email would come from the apple.com domain, not "rep.store.com". Likewise, the App Store has nothing to do with iCloud accounts.

Next, the subject line is "!Cloud" (exclamation point-Cloud), not "iCloud." It's doubtful that Apple would let a mass email go without a quick proofreading pass. And let's not forget the logo. Really? Have you ever seen the word "iCloud" oriented vertically on an Apple site or communication?

The paragraph explaining the "subscription was set to renew" is so full of fail it's laughable. First, it should be iCloud "subscriber," not "member." Next, why put PDT behind the date, when no time is listed? Third, have you ever seen an email from Apple that is written in sentence fragments? "Attempt to do so has failed." "Please take a minute."

The biggest tell in the message, however, is the instruction to "log in to MobileMe." MobileMe no longer exists; it was replaced by iCloud. The biggest way to tell that this is a lame attempt at phishing, though, is that link. Legitimate emails sometimes include a link to a login page, but for more sensitive ones (financial, security and such) the best practice is to ask users to self-navigate to a specific site.

This link doesn't pass the sniff test. If you hover your mouse pointer over the "LOGIN HERE TO UPDATE" link, you'll see from the tool tip that appears that the link directs you to a completely different site than iCloud.com:

Yep, you're going to be directed to stor-pple.com, a page that has nothing to do with Apple. This is an extremely poor phishing attempt, since it's not even trying to steal your login. Instead, it's flogging gift and flower sites.

The correct link for Apple ID and iCloud security transactions, in case you were wondering, is https://appleid.apple.com -- note the HTTPS protocol, which will help ensure a secure connection between your computer and Apple's webserver. (I'm not making that a "real" link for the reason noted above; if you ever need to reset your Apple ID, be sure to type the URL in yourself, in a browser you trust, on a computer you control. Maybe even disable Java and Flash, just for extra protection.)

Other favorite phishing emails come from miscreants pretending to be banks, credit unions, insurance companies and PayPal. Probably your best defense is to never click on a link in a suspicious email, or use the "hover over link" test to see where the link is really going. In this case, the attempt was transparently fake, but be sure to be cautious in all of your online activities. If you're checking email from your mobile device where it may be more difficult to assess the provenance of a link, wait until you get back to your computer if you have any doubt -- or just go straight to the relevant site yourself, and be safer.

Phishing email wants you to renew iCloud. Please don't! originally appeared on TUAW - The Unofficial Apple Weblog on Tue, 23 Oct 2012 10:35:00 EST. Please see our terms for use of feeds.

Phishing email wants you to renew iCloud. Please don't! originally appeared on TUAW - The Unofficial Apple Weblog on Tue, 23 Oct 2012 10:35:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

In the immortal words of Lando Calrissian, "This deal keeps getting worse all the time." Apple's recent Java update removes the Java 6-compatible web plugins from OS X, forcing users that need Java in the browser to move to Oracle's Java runtime, which is at version 7. From a security and supportability standpoint, it's a sensible move.

There's a couple of flies in the ointment, however, starting with the supported browser list. While Safari, Firefox and (I believe) Opera all behave well with the new v7 plugin, one popular browser does not: Google's Chrome. The current Chrome build for Mac is 32-bit (as are the available beta/development builds), but Oracle's Java is 64-bit. You can't run a 64-bit plugin in a 32-bit browser, full stop. On OS X 10.8.2 with the Java patch, the v6 32-bit browser plugins won't work either. There's no workaround for the moment, other than to use a browser other than Chrome for your Java needs.

As Michael Horowitz (maintainer of the handy Java Tester website) points out on Computerworld's Defensive Computing blog, Chrome incompatibility isn't the only hassle with the new arrangement. If you have Apple's Java (v6) installed, adding Oracle's v7 doesn't remove the older version. In fact, there are some applications, including Talkshoe's Mac client, that won't install or run unless the Apple v6 Java framework is present. So now you've got one Java for browsers and another for... well, everything else, mostly.

The core advice for Java, at this point, is don't enable it unless you actually need it for a specific reason (such as the backup tool CrashPlan). Apple's Java Preferences applet that formerly lived in the Utilities folder is gone, replaced by a quasi-preference pane for Oracle's Java, so if you want to disable or uninstall the v6 version you're either going to have to grab a copy of the deleted utility or do some minor spelunking in the Terminal.

Java 7 and Chrome don't play well together originally appeared on TUAW - The Unofficial Apple Weblog on Mon, 22 Oct 2012 10:00:00 EST. Please see our terms for use of feeds.

Java 7 and Chrome don't play well together originally appeared on TUAW - The Unofficial Apple Weblog on Mon, 22 Oct 2012 10:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

Update: In the interest of quantifying the risk to the average Mac user from this exploit (which, please note, does not currently have a Mac-attack payload), I asked for some data from CrashPlan. Since the online/peer backup service requires Java, its userbase represents a good proxy for the Java installed versions on the Mac.

Co-founder Matthew Dornquist quickly responded with a random sample of 200K recent users; his numbers show that the overwhelming majority of CrashPlan's Mac users are on Java 1.6 (92%) and a small minority on the older 1.5 version. The percentage on the 1.7 version targeted by the malware? Approximately zero. It's not often that we find ourselves thankful for out-of-date software, but there it is.

---

For a widely distributed runtime like Oracle's Java, a zero-day vulnerability (a security flaw exploited to create malware before the platform's maintainers have a chance to analyze and respond) is your basic nightmare. Millions of computers might be affected while a patch is in progress; security companies and ISPs need to coordinate to update malware definitions and block command-and-control websites. Nothing but aggravation -- and since Java can run on all varieties of operating systems, there's plenty of agita to go around.

Research shop FireEye identified a Java zero-day exploit this weekend that is already targeting fully patched versions of the Java JRE version 1.7 running on Windows machines. The exploit attempts to install a dropper executable (Dropper.MsPMs) on the machines it attacks. In theory, a separate dropper could be crafted to attack Mac or Linux systems, although none has yet been observed in the wild.

That's a reason for Mac users to rest a little more easily, but it's not the big one. As CNET points out, the vulnerable edition of the JRE -- 1.7 -- isn't installed by default in a stock configuration of OS X. The Java that Apple delivers on Snow Leopard, Lion and Mountain Lion is JRE 1.6 (and on Lion and Mountain Lion, it's only installed on demand when needed to run Java applications); in order to be on 1.7 and be theoretically susceptible, you'd have to install the Oracle beta build manually... which, hopefully, you'd remember doing.

Some of the more breathless coverage of this exploit seems to have missed that point; the overwhelming majority of OS X machines are not running the vulnerable version, and any that are should (theoretically) be under the supervision of users who specifically chose to move to the new, yet-to-be-mainstream release.

If you did install the Oracle build and you're concerned about the new exploit, you can disable the Java plugin in each of your browsers individually, or uninstall 1.7 entirely. While it bears repeating that there is no evidence of a Mac payload for this exploit at this time, if you don't have a specific reason to run the new version then it's probably safest to stick with JRE 1.6 instead (or turn off Java completely if you don't need it). In response to past exploits including Flashback, Apple's Java web plugin is now set to auto-disable when it isn't used for some time, further reducing the attack surface for Mac users.

[hat tip Seth Bromberger]

Java 1.7 zero-day exploit unlikely to impact Mac users (Updated) originally appeared on TUAW - The Unofficial Apple Weblog on Tue, 28 Aug 2012 14:00:00 EST. Please see our terms for use of feeds.

Java 1.7 zero-day exploit unlikely to impact Mac users (Updated) originally appeared on TUAW - The Unofficial Apple Weblog on Tue, 28 Aug 2012 14:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments

The ripples from Mat Honan's weekend security incursion keep pushing outward. Earlier today Amazon shifted policy to prevent account details from being changed via a phone call, which blocks one avenue the hackers used to get the personal info used to compromise Honan's iCloud account. Now, according to Wired, the other shoe has dropped: Apple's phone support team is in a 24-hour freeze for account resets by phone.

This change, which Wired confirmed with an internal Apple source and also tested directly by trying to perform a password reset in a call with AppleCare, might be a temporary holding action until Apple comes up with a more permanent adjustment to its security policies. As Honan's story unfolded late Friday night, it wasn't immediately clear how the hackers gained access to his iCloud account, but it turned out that with just an email address, mailing address and the last four digits of the account's credit card, AppleCare would provide a temporary account password over the phone.

Apple could implement a two-factor authentication scheme similar to Google's approach, but that's confusing to set up for mobile devices and in situations where a separate challenge step doesn't work smoothly (calendar or email apps, for instance). Apple could also do a callback step to the phone that's on the account, although in the case of a stolen phone that might not help. Even a multiple-choice "which of these songs did you purchase on this date" account detail check might add some security to the process, but a perfect system hasn't been invented yet. Google's Tim Bray is working on the future of authentication, and he comments that one way to be safer online is to not be "the softest touch on the block" -- if you're a slightly harder nut to crack, security-wise, casual hackers will generally leave you alone in favor of easier targets.

As risk guru Bruce Schneier points out (in the context of a far more tragic incident), "Novelty plus dread plus a good story equals overreaction." Human beings aren't particularly good at accurately assessing risk, and we focus on solving the last problem rather than the next one. Hopefully Apple will take this wake-up call on account security as an opportunity for a clear-eyed evaluation of some of the ongoing, high-incidence security issues it faces rather than focusing exclusively on the headline problem.

[hat tip to MacRumors]

AppleCare freezes over-the-phone password resets in wake of hacking incident originally appeared on TUAW - The Unofficial Apple Weblog on Tue, 07 Aug 2012 22:00:00 EST. Please see our terms for use of feeds.

AppleCare freezes over-the-phone password resets in wake of hacking incident originally appeared on TUAW - The Unofficial Apple Weblog on Tue, 07 Aug 2012 22:00:00 EST. Please see our terms for use of feeds.

Read | Permalink | Email this | Comments